[Forgot Password]
Login  Register Subscribe












Paid content will be excluded from the download.

Matches : 1588 Download | Alert*

Mozilla developer Myk Melez reported that with specifically timed page navigation, the doorhanger notification for Web App installation could persist from one site to another without being dismissed by the navigation. This could be used by a malicious site to trick a user into installing an application from one site while making it appear to come from another.

Yazan Tommalieh discovered a flaw that once users have viewed the default Firefox start page (about:home), subsequent pages they navigate to in that same tab could use script to activate the buttons that were on the about:home page. Most of these simply open Firefox dialogs such as Settings or History, which might alarm users. In some cases a malicious page could trigger session restore and cause ...

Security researcher Alex Infuhr reported that on Firefox for Android it is possible to open links to local files from web content by selecting Open Link in New Tab from the context menu using the file: protocol. The web content would have to know the precise location of a malicious local file in order to exploit this issue. This issue does not affect Firefox on non-Android systems.

Firefox for Android includes a Crash Reporter which sends crash data to Mozilla for analysis. Security researcher Roee Hay reported that third party Android applications could launch the crash reporter with their own arguments. Normally applications cannot read the private files of another application, but this vulnerability allowed a malicious application to specify a local file in the Firefox p ...

Security researcher Juho Nurminen reported that on Firefox for Android, when the addressbar has been scrolled off screen, an attacker can prevent it from rendering again through the use of script interacting DOM events. This allows an attacker to present a fake addressbar to the user, possibly leading to successful phishing attacks.

Mozilla developers David Chan and Gijs Kruitbosch reported that it is possible to create a drag and drop event in web content which mimics the behavior of a chrome customization event. This can occur when a user is customizing a page or panel. This results in a limited ability to move UI icons within the visible window but does not otherwise affect customization or window content.

Mozilla developer Patrick McManus reported a method to use SPDY or HTTP/2 connection coalescing to bypass key pinning on different sites that resolve to the same IP address.This could allow the use of a fraudulent certificate when a saved pin for that subdomain should have prevented the connection. This leads to possible man-in-the-middle attacks if an attacker has control of the DNS connection an ...

Google security researcher Michal Zalewski reported that when a malformed GIF image is repeatedly rendered within a canvas element, memory may not always be properly initialized. The resulting series of images then uses this uninitialized memory during rendering, allowing data to potentially leak to web content.

Security researcher Ash reported an issue affected the Mozilla Maintenance Service on Windows systems. The Mozilla Maintenance Service installer writes to a temporary directory created during the update process which is writable by users. If malicious DLL files are placed within this directory during the update process, these DLL files can run in a privileged context through the Mozilla Maintenan ...

Mozilla developer Boris Zbarsky reported that a malicious app could use the AlarmAPI to read the values of cross-origin references, such as an iframe"s location object, as part of an alarm"s JSON data. This allows a malicious app to bypass same-origin policy.

Pages:      Start    142    143    144    145    146    147    148    149    150    151    152    153    154    155    ..   158

© 2013 SecPod Technologies